This past week was Patch Tuesday: Microsoft released CVEs for 90 new vulnerabilities. But that wasn’t the vendor’s only contribution to our list — Entra ID, Microsoft’s cloud directory product, also had a recent snag. Additionally, I looked at Linux, SolarWinds, and Android vulnerabilities. Ivanti continues to have issues, this time with its Virtual Traffic Manager product. Happy patching, and don’t forget to watch your vendors’ security feeds consistently.
August 12, 2024
Ivanti Runs Into Snag With Virtual Traffic Manager
Type of vulnerability: Authentication bypass.
The problem: Ivanti Virtual Traffic Manager has a vulnerability that could lead to authentication bypass and subsequent creation of an administrator when exploited. According to the National Institute of Standards and Technology, the vulnerability stems from an incorrect implementation of authentication algorithms and exists in all vTM versions except 22.2R1 and 22.7R2.
“Customers who have ensured their management interface is bound to an internal network or private IP address have significantly reduced their attack surface,” the Ivanti notice reads. The vendor didn’t notice any active exploits when it released the security notice.
The flaw is tracked as CVE-2024-7593 and has a CVSS score of 9.8, a critical rating.
The fix: Ivanti recommends updating Virtual Traffic Manager to the latest version, which you can do by logging into the Ivanti standard downloads portal.
August 13, 2024
Microsoft Patch Tuesday Sees Elevation of Privilege Vulnerability
Type of vulnerability: Multiple, including elevation of privilege.
The problem: Last week, Microsoft’s monthly Patch Tuesday announced 90 new CVEs, including multiple zero-day vulnerabilities. According to Trend Micro Zero Day Initiative researcher Dustin Childs, Microsoft listed four of the CVEs as public, and six are being actively exploited. That’s unusual for a single release, he said.
One of the vulnerabilities highlighted in Patch Tuesday was an elevation-of-privilege flaw in Windows Update. According to Microsoft, the vulnerability allows a threat actor with basic privileges to reintroduce old vulnerabilities that had already been mitigated. The attack would also need “additional interaction by a privileged user to be successful.”
The vulnerability is tracked as CVE-2024-38202 and has a severity score of 7.3.
The fix: There isn’t an official mitigation strategy for the EoP vulnerability yet; Microsoft will update its security notice whenever it releases a patch or other fix.
Patch Tuesday Lineup Also Includes RCE Flaw
Type of vulnerability: Remote code execution.
The problem: Microsoft discovered a vulnerability in Transmission Control Protocol (TCP) / Internet Protocol (IP) that affects Windows machines running IPv6. This vulnerability also belonged to the month’s Patch Tuesday roundup and is one of the more severe flaws patched recently, with a CVSS score of 9.8.
“An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,” the notice said. Microsoft Security Response Center announced the vulnerability and instructed users to patch it. The flaw affects Windows Server, Windows 10, and Windows 11.
The fix: Install the most recent Windows security updates, which have the vulnerability patched. While disabling IPv6 is a possible fix, it’s not recommended, since that could stop other Windows components from working properly.
If your team is overwhelmed by new vulnerabilities, check out our guide to the best vulnerability scanners. These products automatically search your systems for flaws, based on known vulnerabilities.
August 15, 2024
SolarWinds Flaw Should Be Immediately Patched
Type of vulnerability: Deserialization, leading to remote code execution.
The problem: SolarWinds Web Help Desk is vulnerable to a Java deserialization flaw that allows remote threat actors to execute code on hosts. Researchers reported the issue to SolarWinds as an unauthenticated vulnerability, but according to Tenable, SolarWinds hasn’t been able to recreate the exploit without authentication, so it’s likely a difficult flaw to exploit. The vulnerability is tracked as CVE-2024-28986 and has a base CVSS score of 9.8.
The fix: Tenable recommends patching your instance of Web Help Desk despite SolarWinds’ inability to reproduce the exploit without authentication. Install Web Help Desk version 12.8.3 first, and then install the hotfix once you’ve updated the software.
Third-Party Application Package Installed on Pixel Devices
Type of vulnerability: Third-party application package installed on Pixel device firmware, with insufficient security controls.
The problem: Mobile security vendor iVerify’s EDR product discovered an unsecured Android device at data analytics firm Palantir Technologies. Researchers investigating the threat found an Android application package, Showcase.apk, that’s part of the device firmware. When it’s enabled, the package allows threat actors to access the operating system.
This vulnerability also opens Androids to code injection, man-in-the-middle attacks, and spyware, according to iVerify’s blog post about the vulnerability. The application runs with too-high privileges, and it’s installed on many Pixel devices that have been shipped for the past seven years.
iVerify notified Google about the vulnerability, and Google plans to release an update that removes Showcase.apk from its Pixel phones. Palantir Technologies plans to phase out Android phones and begin using Apple devices after performing the investigation.
The fix: If you have a Pixel phone, update to the newest operating system as soon as Google releases it. If you have a different Android phone, watch for new versions and update your phone immediately when the next version is released.
Entra ID Vulnerability Affects Hybrid Environments
Type of vulnerability: Authentication bypass.
The problem: Researchers at security firm Cymulate have discovered a vulnerability within Microsoft Entra ID, the product recently known as Azure Active Directory (AAD). This is the cloud-based version of Active Directory, not the on-premises one (which is known simply as Active Directory). The flaw occurs when Entra ID users are syncing multiple on-prem Active Directory domains to one Microsoft Azure tenant, which is in the cloud.
“This issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access,” Cymulate’s report said. Threat actors manipulate credential validation and then don’t have to submit to typical security checks.
“This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password; this could potentially grant access to a global admin user if such privileges were assigned.”
This can happen regardless of the threat actor’s initial Active Directory domain and allow them to move to another on-prem domain, Cymulate researchers Ilan Kalendarov and Elad Beber said. The researchers reported the issue to Microsoft in July. As of the release of Cymulate’s report, there’s no current estimated timeline for the fix.
The fix: Despite that, Cymulate recommends some mitigation strategies for this vulnerability, including enabling two-factor authentication for all synced users. They also remind customers that following Microsoft’s Secure Privilege Access guide helps harden the Microsoft Entra Connect Server.
August 17, 2024
Linux Vulnerability Affects Kernel’s Memory Allocation
Type of vulnerability: Linux DMA allocation.
The problem: Researchers discovered and fixed a vulnerability within the Linux kernel’s Direct Memory Access (DMA) allocation process. The flaw exists in the dmam_free_coherent() function and requires the call order to be fixed.
The dmam_free_coherent() function frees a DMA allocation. The freed vaddr is then available to be reused and then calls the devres_destroy() function to remove and free the data structure that tracks the DMA allocation. Between the two calls, a concurrent task could make an allocation with the same vaddr and add it to the devres list.
“If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match,” said the advisory.
The fix: This vulnerability is solved by destroying the devres entry before freeing the DMA allocation, according to the GitHub advisory posted for the vulnerability.
Read next:
- Vulnerability Recap 8/13/24 – Old Vulnerabilities Unexpectedly Emerge
- Best Vulnerability Management Software & Systems in 2024
